Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
An insecure password scheme refers to vulnerabilities arising from improper selection of encryption algorithms, inadequate key management, or flawed code implementation, which may lead to data leakage or tampering, such as hard-coded keys or the use of weak encryption algorithms.
AnalysisAI
Information disclosure in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) stems from an insecure cryptographic password scheme - such as hard-coded keys, weak encryption algorithms, or poor key management - that lets remote, unauthenticated attackers recover or tamper with protected data. The CVSS vector (AV:N/AC:H/PR:N) indicates network reachability without credentials but with high attack complexity, and the primary impact is confidentiality loss (C:H) with minor integrity and availability effects. There is no public exploit identified at time of analysis, and EPSS is very low (0.02%, 7th percentile).
Technical ContextAI
ZXUniPOS NDS-LTE is a ZTE telecom/OSS product line (CPE cpe:2.3:a:zte:zxunipos_nds-lte). The flaw is classified under CWE-310 (Cryptographic Issues), the root-cause category covering improper algorithm selection, inadequate key management, hard-coded secrets, and flawed crypto implementation. In practice this means data that should be protected at rest or in transit is secured with an algorithm or key handling that an attacker can defeat - e.g., a static/embedded key reused across deployments or a deprecated cipher - collapsing the confidentiality guarantee the scheme was meant to provide. The supplied description is generic CWE-310 boilerplate and does not name the exact algorithm or key, so the precise cryptographic defect is not specified in the available data.
RemediationAI
Patch available per vendor advisory: consult the ZTE bulletin (https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343394) and upgrade ZXUniPOS NDS-LTE beyond the affected V24.40.40 / V24.30.40CP02 baselines - an exact fixed version is not specified in the available data, so confirm the target build directly with ZTE. Because the defect is cryptographic, software upgrade is the only true fix; as compensating controls until patched, restrict network reachability to the affected service by placing it behind segmentation/firewall rules so the AV:N path is not exposed beyond trusted management networks (trade-off: may break legitimate remote integrations), and rotate any keys or credentials that may have been protected by the weak scheme once the fixed build is deployed (trade-off: requires coordinated re-provisioning). Avoid relying on the existing crypto for any sensitive data until upgraded.
More in Zxunipos Nds Lte
View allImproper access control in ZTE ZXUniPOS NDS-LTE (V24.40.40 and earlier, and V24.30.40CP02 and earlier) lets remote unaut
CSRF vulnerability in ZTE ZXUniPOS NDS-LTE enables an attacker to forge authenticated cross-site requests that modify sy
Business logic abuse in ZTE ZXUniPOS NDS-LTE (versions V24.40.40 and V24.30.40CP02) allows a highly privileged authentic
Same weakness CWE-310 – Cryptographic Issues
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32049
GHSA-grx5-r275-m4vr